Welcome to MSDN Blogs Sign in | Join | Help

Beware the Image File Execution Options key

Beware the Image File Execution Options key (more). Its power can be used for evil as well as for good.

Its intended use is to force a program to run under a debugger regardless of how it is launched (and secondarily to alter how the system treats the program). It's handy if you need to debug a program "in the wild" rather than under the controlled environment of your favorite IDE. For example, you can use it if you want to debug how a program runs when it is launched by some other program you can't debug.

Two things people often forget:

  • If you err in specifying the debugger, the program won't launch at all. For example, if you get the path to the debugger wrong or if you subsequently uninstall the debugger, you'll get ERROR_FILE_NOT_FOUND when you try to run the target program since the system can't find the debugger.
  • Remember to delete the entry for your program when you no longer need it. Otherwise you'll wonder why the debugger keeps launching for no apparent reason.

Evil can be done with the Image File Execution Options key. Malware can install themselves as the "debugger" for a frequently-run program (such as Explorer) and thereby inject themselves into the execution sequence.

Note that the ability to use the Image File Execution Options key for evil purposes is not a security hole. To modify the key in the first place requires administrator permissions. Consequently, anybody who can exploit this feature already owns your machine.

Published Monday, December 19, 2005 7:00 AM by oldnewthing
Filed under:

Comments

# re: Beware the Image File Execution Options key

Monday, December 19, 2005 10:58 AM by GregM
Thank you!!!!

I wish I knew about this YEARS ago. It's always a pain to try to debug startup problems that only happen when a user double-clicks on one of your files in Windows Explorer.

# re: Beware the Image File Execution Options key

Monday, December 19, 2005 11:08 AM by Aaron Margosis
One non-debugging use (for good): Process Explorer (from SysInternals.com) can make itself a replacement for Task Manager. The IFEO key is how it does that.

The fact that it can be used for Evil is why IFEO keys are listed by SysInternals' "AutoRuns" utility. But as Raymond alludes, if the bad guys have inserted an IFEO key, they can also load a kernel-mode rootkit that can completely hide the fact that they've done so.

# re: Beware the Image File Execution Options key

Monday, December 19, 2005 11:25 AM by Dan McKinley
It can also be used for high comedy.

http://mcfunley.com/cs/blogs/dan/archive/2005/06/23/448.aspx

# re: Beware the Image File Execution Options key

Monday, December 19, 2005 9:32 PM by Cheong
Dan McKinley,

Your comment make me think of the idea for commercial spys to steal information.

In a less secure company where staffs share workstations and everyone has admin right login, one can easily use prewritten programs to inject the key to other users registry, then have others run the background program to steal information using their identity.

The spy will just have to remember to wipe the key out when completed, and the database log will only show the ID of another staff have downloaded suspiciously huge amount of data.

How do others think? I'll be glad to know this won't be the case for whatever reason.

# re: Beware the Image File Execution Options key

Monday, December 19, 2005 10:19 PM by Dan McKinley
I think that's basically what Raymond is saying. I gave a fairly benign abuse of the debugger value, but running users as admins opens you up to malware that takes advantage of it.

# re: Beware the Image File Execution Options key

Monday, December 19, 2005 10:58 PM by Norman Diamond
If you insert a Sony CD into your machine while logged in with administrative privileges, then Sony 0wns your machine. So why did Sony bother constructing a rootkit? They 0wn your machine.

Well, Sony constructed a rootkit because they wanted to make it difficult for you to discover that they 0wn your machine. Malware does benefit by making it hard for you to notice it's there.

Of course we can't do away with such an important debugging tool, but maybe something can be done. Consider that blank passwords, even when they are the correct passwords, no longer authenticate incoming network connections. Maybe the Image File Execution Options key can be made more restrictive, maybe only allowing the launching of known debuggers so that the user knows it's happening.

# re: Beware the Image File Execution Options key

Monday, December 19, 2005 11:24 PM by Aaron
You don't think thats a security hole? How many people run the different versions of Windows out there as a non-admin?

I've never run as anything other than an Admin. Windows just doesn't seem designed for you to switch users or something when you want to do an Admin task... Maybe thats just cause I have used it for awhile, but I gotta figure there are tons of people like me out there.

# re: Beware the Image File Execution Options key

Monday, December 19, 2005 11:45 PM by Dean Harding
But that's the point, Aaron, if you're already running as an admin then there's nothing that these keys will give you that you can't do already. It's only a security problem if they gave you MORE power than you would normally have. For example, if you were already an admin there's no reason why you couldn't just copy your malicious executable over C:\WINDOWS\notepad.exe.

The security hole is the fact that you're running as an admin in the first place, not the fact that an admin can modify those keys.

# re: Beware the Image File Execution Options key

Tuesday, December 20, 2005 9:45 AM by Tim Marman
Yeah, I wrote about using this for comedy back in 2004 in a post entitled "How to Have Fun... At the expense of your coworkers".

http://slashstar.com/blogs/tim/archive/2004/07/12/751.aspx

# re: Beware the Image File Execution Options key

Wednesday, December 21, 2005 4:17 AM by Purplet [italy]
Norman, what is a "known debugger" ?

There is a whole bunch of debuggers from different vendors, open source or in house developed.

The power of choosing which ones are trusted debuggers and which ones aren't won't choose the fair competition price..

# re: Beware the Image File Execution Options key

Wednesday, December 21, 2005 4:18 AM by Purplet [italy]
Typo : "won't *choose* the fair competition price" is "won't *win* the fair competition price" ;)

# re: Beware the Image File Execution Options key

Wednesday, December 21, 2005 10:26 PM by Norman Diamond
Wednesday, December 21, 2005 4:17 AM by Purplet [italy]
> Norman, what is a "known debugger" ?

I meant one that's known to the currently running system, e.g. if the administrator has installed Visual Studio 6 and Visual Studio 2005 beta 1 and WinDbg then probably 3 debuggers have been registered.

# re: Beware the Image File Execution Options key

Friday, December 30, 2005 4:39 PM by Mike Fried
Norman Diamond wrote: "I meant one that's known to the currently running system, e.g. if the administrator has installed Visual Studio 6 and Visual Studio 2005 beta 1 and WinDbg then probably 3 debuggers have been registered."

So that just requires an extra step of registering a debugger so you can set it on .exe files. It's an extra hoop that doesn't make a significant difference in the complexity of the attack, and most users don't know what a debugger is, and never launch one intentionally.

I'm going to repeat the mantra: Once someone gets root on your PC the game is over. They own your system. The barriers you throw up only complicate the computer for the technical user. The average user isn't skilled enough to know the difference between a debugger and an anti-virus. They just don't care. Your added check wouldn't prevent the hackers from having their way with your system once you gave them root.

# re: Beware the Image File Execution Options key

Sunday, January 01, 2006 11:00 AM by Anon
Unfortunately there is a lot of software out there that assumes it is running in admin mode, and doesn't work properly otherwise. Including some MS stuff. This forces users to run in admin mode. There needs to be an education effort with both developers and users that this behaviour is a very very bad thing.

# IFEO and Managed-debugging

Thursday, February 16, 2006 2:16 PM by Mike Stall's .NET Debugging Blog
Be careful  of Image File Execution Options (IFEO) with managed debugging - it won't work like you...

# Solutions that don't actually solve anything

Wednesday, May 10, 2006 10:00 AM by The Old New Thing
You've already lost the game.

# Image File Execution Options

Thursday, February 08, 2007 10:28 PM by Wes' Puzzling Blog

Every now and than while debugging I need to either determine when a dll/module is loaded or need to

# Image File Execution Options

Thursday, February 08, 2007 10:29 PM by Wes' Blog

Every now and than while debugging I need to either determine when a dll/module is loaded or need to

# Computer Security Research - McAfee Avert Labs Blog

Tuesday, December 09, 2008 5:41 PM by Computer Security Research - McAfee Avert Labs Blog

PingBack from http://www.avertlabs.com/research/blog/index.php/2008/12/09/image-file-execution-options/

# Image File Execution Options | CHARGED's Digital Lifestyle at Work or Play

Wednesday, December 10, 2008 12:16 PM by Image File Execution Options | CHARGED's Digital Lifestyle at Work or Play

PingBack from http://www.charged.co.za/security/image-file-execution-options

New Comments to this post are disabled
 
Page view tracker